Archive for July, 2006

There is increasing concern about the use of real/actual personally identifiable information (PII) for test and development purposes. I’m also increasingly concerned about the use of PII by sales representatives who are showing demos to potential clients. I was recently surprised to see a vendor showing me a demo of his security software using the actual production data of his clients, which included a vast amount of PII about his clients‚Äô customers, such as names, social security numbers and credit card numbers. He had accumulated this information while doing work for the clients with the software. Needless to say, his demo turned into a long discussion about the risks involved with this practice. Such a practice is an incident and lawsuit waiting to happen. Unfortunately the sales staff at many companies use production data for demo purposes. And it’s not just software vendors. Insurance representatives often show their potential clients demos using PII, as do financial organizations, and healthcare companies, plus potentially other industries. Do you know if your sales staff is using your production data?

I just posted a new podcast, "Data De-identification and Masking Methods," a follow-up to my last podcast, ‚ÄúWhat IT Leaders Need to Know About Using Production Data for Testing.‚Äù I discuss some of the ways in which data can be de-identified, or masked, to use for not only test purposes, but also for demo and other purposes. There are many ways to de-identify and mask data. Some are better than others. It all depends upon the type of data you‚Äôre working with, and the associated application or system. I briefly describe seven ways in which data can be masked and de-identified, in addition to an alternative in the slim chance that there is absolutely no way in which anything other than production data can be used for testing. The ultimate goal is to protect the privacy and confidentiality of PII while also making meaningful data available for purposes of testing, demos or analysis.

Many of the publicized statements from the organizations that have experienced incidents where personally identifiable information (PII) was stolen or lost often say something similar to, a scant two or three weeks…or even two or three months…later that "there is no evidence the data has been compromised." Well, here’s a good example of how bad things can be done with that PII even years later.

A week ago it was reported that a Greek ex-soldier had obtained PII about other armed forces personnel while he was serving as an officer three years ago. He, or someone else with access to his computer, just posted that PII and other sensitive information a week or so ago on the Internet. The information was "concerning armed forces personnel, passwords used to access army bases and other details concerning military facilities."

This points out a long-time concern…trusted insiders, who are no longer with your company, often still possess much PII, and other sensitive information, from your company if they did work outside of the office, or if they used mobile computing and/or storage devices. Today that is a significantly large percentage of the workforce.

How do you keep track of who has possession of the PII for which your company is responsible? How do you know who has access to, or copies of, all your sensitive information? How do you collect all that PII from personnel when they leave your company? What kind of controls are in place to lessen the likelihood that personnel with access to PII and other sensitive information do not use it or post it in inappropriate ways? What controls are in place to notify you when such incidents occur?

This is another good example of an insider threat incident to add to your awareness and training files.

"The FBI and the private company that had been in possession of the state-owned personal computer would not say how or where it was found, only that it was in "a secure location.""

The computer had been missing since May 9. The story did not say specifically when it was found, but implies it was found just this week. So, it was missing for around 2 1/2 months.

"Mike Kachel, a spokesman for CS Stars’ New York City office, said the FBI located the computer, missing since May 9, and that it appeared no one had used any of the information it contained."

These statements are always interesting to me…I’m told by my digital forensic expert buddies that you cannot tell for certain if data has or has not been copied.

Since the FBI was part of the team that found the laptop it seems it was probably found outside of CS Stars’ facilities…but then again, that is supposition.

"The company had earlier offered the affected workers identity theft insurance, 12 months to get free credit reports and access to fraud resolution specialists. That offer still stands, Kachel said."

This is good. When an organization, or the government, offers credit monitoring they should stand behind that offer, even when the computer is found. Because there is no way to tell if the data has been copied, it is foolhardy to believe that just because the computer is found there are not copies of all the data floating around and perhaps being auctioned off to any fraudster who wants to pay for social security numbers, names and addresses. This computer was "lost" for 2 1/2 months…it could have passed through many hands during that time.

"Identity theft is considered one of the country’s fastest growing white-collar crimes. One recent survey reported that there have been more than 28 million new identity theft victims since 2003, but experts say many incidents go undetected or unreported."

"Senate Minority Leader Harry Reid discovered this week he was the victim of identity theft after someone used his MasterCard number to charge about $2,000 at a Wal-Mart and other stores in Monroe, North Carolina. The Nevada Democrat said he found out someone had obtained the number after opening his bill Tuesday night."

The report said he did not know how anyone else got his credit card number. Gee, wonder if his credit card number was on one of the many laptops and hard drives that have been lost and stolen? Perhaps even on one that was recovered and determined to have not been compromised? We’ll likely never know for sure…hmm…

Your organization’s personnel hold the security and privacy of the organization’s information in their hands; both figuratively and literally. Businesses depend upon their personnel to handle their valuable data responsibly and securely. Without effective personnel education, businesses face significant negative business impact and even possible business failure from the consequences.

A majority of the incidents in the news have been ultimately due to personnel lack of awareness and knowledge of how to properly secure information in all forms and in the many circumstances in which they handle information. You cannot expect personnel to know how to effectively protect information if you do not communicate to them on an ongoing basis HOW to provide that protection while doing their day-to-day job responsibilities.

There are many compelling reasons for businesses to implement an effective information security and privacy education program, including addressing legal and regulatory requirements, raising awareness and understanding, and helping to reduce the insider threat of information misuse and fraud. I just posted a paper,"The Business Need for Information Security and Privacy Education" that discusses the reasons why businesses must implement an effective privacy and information security education program.

I really like investigations where those carrying them out are not afraid to get down and dirty to find out what really is going on at businesses, and seeing how sloppy practices put privacy, and personal safety, at risk. Digging into dumpsters to find personally identifiable information (PII) is a great indicator of the information security practices of an organization.

Here’s an article about such an investigation to put within your awareness and training files for the ongoing problems organizations have with properly disposing of PII. WTHR in Indianapolis did an investigation into the trash habits of pharmacies. Indeed there are some very sensitive types of information your friendly neighborhood pharmacy has on file about you and all the other folks who fill their prescriptions. Not to mention tossed drugs…but that’s another story…

Some of the more interesting findings of the research done by the television station:

"Over a two-month period, 13 Investigates reporter Bob Segall visited 65 local pharmacies. Actually, he visited their dumpsters. Some were latched, locked or chained. But most had no security at all – out in the open, 24 hours a day. At those dumpsters, we took whatever we found – it’s perfectly legal."

Just take a nice stroll at lunch through your downtown alleys (if you are in a day-safe area), and I am willing to bet you will also find dumpsters wide open containing papers and other potential PII storage media.

"Perhaps more alarming, we found prescriptions, pill bottles and prescription labels that provided personal information about hundreds of patients. In fact, at pharmacies where we took garbage bags, we found more than half of them trashed their customers’ privacy by failing to destroy their personal information as required by federal law. We learned who’s taking birth control pills, who has an enlarged prostate, which customers suffer from depression and which one has a prescription for genital herpes. And along with it, we learned their names, addresses, phone numbers and birthdates. You won’t hear from any of those particular patients, but others are speaking out."

"Margie Kerr was not so fortunate. A thief came to her Bloomington home and stole her prescription painkillers. Detectives say the thief singled out his 76-year-old victim when he found her personal information in an open dumpster behind her pharmacy."

Drug addicts are desperate to get a fix. What better way to find out who has the drugs they need than by digging through the pharmacy, hospital and medical clinic dumpsters? Organizations that do not irreversibly destroy PII prior to disposing of them are not only in noncompliance with HIPAA, but are also putting the corresponding individuals about whom the PII applies at a safety risk.

""Protections need to be in place," said Susan McAndrews, who is a top legal advisor at the Department of Health and Human Services in Washington. McAndrews said the law is clear: customers’ personal health information must be carefully protected. After seeing what we found in the trash, she offered advice for pharmacies. "Don’t do that!" she said. "Putting protected health information in a dumpster that is accessible to anyone… is clearly not an example of a reasonable safeguard." McAndrews said most pharmacies are bound by HIPAA, a federal law that requires patients’ and customers’ private health information to be protected. Businesses that fail to comply can be fined up to $100 per incident."

A huge problem with HIPAA is the enforcement, or lack of, for this federal law by theDepartment of Health and Human Services (HHS). No fines or penalties have yet been applied; just two criminal cases successfully prosecuted. The HHS needs to step up and apply fines in such instances of blatent disregard of the law. Without fines being applied there is no motivation for compliance by covered entities (CEs). If the HHS is making statements about how CEs need to comply with HIPAA, they need to step up to the plate and enforce the law! Just shaking a finger and tisk-tisking breaking the legal requirements of HIPAA will not motivate most CEs.

"For this investigation, we randomly chose 65 metro-area pharmacies. The test included pharmacy-only stores such as Walgreens, CVS, Osco, Tucker Pharmacy and Low Cost Rx stores. It did not include grocery and retail stores that also offer pharmacy services because dumpsters at those locations contained mostly non-pharmacy trash. During the test, we took trash only from pharmacy dumpsters that offered easy public access. We did not take trash from the 13 pharmacies where the dumpsters were either locked or unaccessible to the public. Nor did we take garbage from the seven pharmacies at which dumpsters were behind a closed fence, even if the fence was unlocked. Trash dumpsters at 15 of the pharmacies were easily accessible but empty at the times we visited. We took trash from the remaining 30 pharmacies with easily-accessible garbage dumpsters, and 19 of them failed to destroy all of their customers’ personal information before placing it in thedumpsters."

Today I read in the Chicago Sun-Times that CS Stars (not sure this is the same organization’s website, but it appears as though it could be), a contractor for the state of New York, could not locate a personal computer New York State provided to them which contained the names, addresses and Social Security numbers "of as many as 540,000 injured workers."

"CS Stars had been using the computer to move the data from the state to the company’s computerized claim system, according to the letter."

CS Stars is based in Chicago but also has an office in New York.

This story brought many questions to mind…

Were they sending the data by physically taking it on a computer because they thought this was more secure than sending it electronically?

The article indicates it was missing from "a secure facility of the company," so it appears it was not lost while in transit. Wonder what constitutes a "secure facility"? The front door is locked? A locked desk drawer? A facility with guards, two-factor authentication to get in the door, and surveillance cameras? It is always interesting to read these reports of security incidents and see the terminology used. A secured facility is very subjective and could mean a very wide spectrum of things.

If the facility was such that only authorized people had access to the computer, then it is likely the theft (if it was a theft and not just a misplaced computer now stuck under someone’s desk to prop up their feet, perhaps) was done by an insider. This would make the data more likely to be at risk if the person knew the type of data on it and planned to use it to commit some potentially lucrative cybercrime.

This story coincidentally came out after I had just visited the Identity Theft Resource Center where they reported "In 2005 there were 151 incidents affecting more than 57.7 million people. Approximately half of the breaches were educational institutions. 16% were banking, credit or financial services. We are tracking 2006 currently. As of the end of April there were nearly 80 large breaches."

"Last year, the inability to produce subpoenaed e-mail resulted in million dollar‚Äîeven billion dollar‚Äîlawsuits against U.S. companies. In fact, 24% of organizations have had employee e-mail subpoenaed, and 15% of companies have gone to court to battle lawsuits triggered by employee e-mail."

What are your records retention policies and practices for not only email, but also instant messaging, voice mail, and other types of files? Be sure you clearly address the issues of email content (typically what is focused upon within policies) and also email retention. This is a very important issue that is often not covered.

I know there are some really amazing stories about the types of email, IM and blog content personnel write and post while at work and/or using their employers’ systems…what are these people thinking? Probably not thinking…

Again, having a good, clearly written policy will help to support your organization’s decision if you need to make a termination or a disciplinary action that is subsequently challenged in court. I know of many instances where the cases were thrown out before going to trial because the organizations had policies explicitly stating personnel could not use electronic communications in certain ways, and also had documented and visible proof and procedures verifying communications of the policies, when personnel brought suit, particularly for claiming ignorance about a policy.

"With the blogosphere growing at the rate of one new blog per second, industry experts expect the ranks of dooced [fired] employee bloggers to swell."

Wow…a new blog every *SECOND*? That amazed me. Can that be true? I wonder how quickly blogs disappear? One every hour? Every 30 minutes? What is the ratio of blogs to websites? How many blogs are being set up by personnel under their employers’ domains without the knowledge of the employers?

I also learned a new word…or at least a new meaning for a word…"dooced."

"4% of companies have written e-mail retention/deletion policies in place, in spite of the fact that 34% of employees don‚Äôt know the difference between business-critical e-mail that must be saved and insignificant messages that may be purged."

No surprises here…it is a scary fact that a huge amount of confidential and mission critical data is contained within or attached to email messages, and that no one really has responsibility for these email security and privacy issues, and most users have no idea of the risks involved.

Organizations need to implement classification policies and procedures to support the save and purge activities.

"While 35% of employees use IM at work, only 31% of organizations have IM policy in place, and 13% retain IM business records."

I know a large majority of the organizations I speak with indicate they use IM internally. IM communications, even at work, are typically mush less restrained…in content, opinions, accusations, gossip…than email. All of which could get not only the employee but also the employer in hot water legalwise.

Since a growing segment of business professionals rely upon these communication methods so heavily it is important to have policies governing the appropriate and reasonable use of email, IMs, and blogs.

How many of you have such policies and supporting procedures? I have seen many organizations with email policies and procedures, but very few companies, almost nil, with instant messaging or blog policies.

It is important for business leaders throughout the enterprise to understand the system development life cycle (SDLC) and how decisions made during the process can impact, negatively or positively, the entire business. First and foremost, systems and applications must be built to support the business in the most efficient and effective manner possible. Business leaders must be involved with the process to ensure systems and applications are being developed to meet this goal; the information technology (IT) areas cannot create applications and systems on their own and reach this goal. Second, applications and systems must be created to reduce risk to the level acceptable by the business, as well as to meet compliance with applicable laws, regulations, and contractual requirements.

I just wrote and posted a paper,"The Business Leader’s Primer for Incorporating Privacy and Security" that provides an overview for business leaders about the importance of incorporating information security and privacy into the SDLC, and key information security and privacy activities to address within each SDLC phase. Let me know what you think, and if you have additional ideas about this topic.

Very surprisingly today I read in The Guardian Unlimited report from a couple of days ago that "Free credit monitoring for veterans whose personal information was stolen has been withdrawn, the Bush administration said Tuesday, because the laptop containing their data has been recovered."

Data can be copied from hard drives and other storage media without leaving behind any evidence it was copied.

"Testifying to a Senate panel, Nicholson acknowledged there were no 100 percent guarantees that names, birthdates and Social Security numbers stored on a VA employee’s stolen laptop and external drive were not accessed or copied. But he said the low risk did not justify a year of personalized monitoring at a taxpayer cost of $160.5 million. "Facts have changed, the situation has changed," Nicholson said, noting that the stolen equipment has been recovered and that the FBI determined with a "high degree of confidence" that the data was not compromised. Speaking of veterans groups, some of whom are fiercely opposed to the decision, Nicholson added: "Some oppose, but some concur, thinking it would be a waste of $160.5 million.""

So…it’s about the money? It would be interesting to know what facts have changed…do they know where the stolen equipment was all along?

"Nicholson said the VA was in the process of hiring a company to provide data breach analysis to detect potential patterns of misuse of data. In addition, the department planned to send letters to veterans informing them of free services already available to all citizens, including free monitoring for 90 days and credit reports three times a year."

The credit monitoring services already have the systems in place to be able to detect these types of potential misuse…but the VA is going to hire a company to do this? How will the monitoring a hired company does be able to detect "potential patterns of misuse"?

Global Security Week is September 4 – 10 this year. Have you started planning any awareness activities around it for your organization?

In case you haven’t heard of it, Global Security week…

"…is an opportunity to join forces with other security professionals worldwide and promote security to the masses. The theme for Global Security Week 2006 is identity theft. Find out about the truth behind the headlines. Is ‚Äúphishing‚Äù a genuine threat? What are the banks doing about it? What can ordinary members of the public do about it? Participate in Global Security Week to help spread the word about identity theft and encourage ordinary law-abiding citizens to be on their guard."

This is a great opportunity to provide awareness messages and activities, as well as training classes, within your organization to raise the awareness of issues that impact not only your own organization, but your workers personnally. You could also take advantage of this week to provide awareness and training to your customers, business partners, outsourced vendors, and anyone else who touches the information for which your organization is responsible.